RE: Question about callback URL with SAML configuration

[Devine, Harry (FAA)]

This is what I have in server.xml now (I just added the Valve section within 
the last half hour based on an article I found here: 
https://guacamole.apache.org/doc/gug/reverse-proxy.html):

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127.0.0.1"
               remoteIpHeader="x-forwarded-for"
               remoteIpProxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

It didn’t make much of a difference.  But what do I need to change for the 
Apache ProxyPass lines in forward.conf?  I also see some references to the 
WebSocket Tunnel, which I don’t have in Apache at the moment.  Do I need that 
part also?

Thanks,
Harry

From: Jon Gerdes <gerd...@blueloop.net>
Sent: Wednesday, December 18, 2024 10:46 AM
To: user@guacamole.apache.org
Subject: Re: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

Harry

I had a similar issue recently.  I "fixed" that by making the Guacamole WAR the 
root of the Tomcat server.  Add a Context section similar to this:


<Host name="localhost"  appBase="webapps"

            unpackWARs="true" autoDeploy="true">



        <Context path="" docBase="guacamole" debug="0" 
reloadable="true"></Context>



inside the Tomcat server.xml and restart it.  You will also need to change the 
ProxyPass lines in Apache.

Cheers
Jon



On Wed, 2024-12-18 at 14:02 +0000, Devine, Harry (FAA) wrote:
Also, I am doing a ProxyPass to proxy the traffic through Apache to the 
Guacamole backend on 8080:

<Location />
    Order allow,deny
    Allow from all
    ProxyPass http://localhost:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://localhost:8080/guacamole/
</Location>

Not sure how this plays into things.  But when I sign into the SAML with my 
smart card, that works, and the redirect back just keeps sending me back to the 
Okta MFA page, which detects I’m already logged in, and redirects back to 
Guacamole, and the cycle continues for a while until the 429 Too Many Requests 
comes across.

Thanks,
Harry

From: Devine, Harry (FAA) 
<harry.dev...@faa.gov.INVALID<mailto:harry.dev...@faa.gov.INVALID>>
Sent: Tuesday, December 17, 2024 3:26 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: RE: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

I’m not really getting any errors in the Tomcat logs or /var/log/messages.  I 
eventually just get a 429 Too Many Redirects error.  And the callback I’m 
referring too is what we need to put into the saml-callback-url propery in 
/etc/guacamole/guacamole.properties.  Currently, we have the server name itself 
(https://<server<https://%3cserver>>).  I’m assuming that needs to be something 
different.

Thanks,
Harry

From: Nick Couchman <vn...@apache.org<mailto:vn...@apache.org>>
Sent: Tuesday, December 17, 2024 3:20 PM
To: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Subject: Re: Question about callback URL with SAML configuration

CAUTION: This email originated from outside of the Federal Aviation 
Administration (FAA). Do not click on links or open attachments unless you 
recognize the sender and know the content is safe.

On Tue, Dec 17, 2024 at 3:13 PM Devine, Harry (FAA) 
<harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote:


We are on Guacamole 1.5.4 at the moment, and we have a mandate to implement 
MFA.  We have been working with our IT department and using a test Guacamole 
server for the configuration testing.  We were initially trying OpenID but we 
kept getting an invalid response_type value.  So they suggested SAML, which we 
implemented and proved that we could log in.  However, we do get an error from 
Guacamole because the MFA doesn’t seem to know how to return the response back 
to our Guacamole server.


What error are you seeing? And what messages are you getting in the logs?

So, my question is: how to I implement or configure the Callback URL on our 
Guacamole server so the response that comes back can be retrieved?


Are you talking about the callback URL in the Guacamole configuration, or one 
specific to the SAML IdP?

-Nick